Sean Mason | @SeanAMason | #BSidesNOLA www.SeanMason.com Sean Mason IR Mgr Security Analyst Sr. IT Auditor Web Developer @SeanAMason Director IR VP, Incident Response ExecuYve IR Leader InfoSec Team Lead Agile Development Manager Web Developer R1 ’96-‐’00 Technical School USAF ’01-‐’03 BS MIS McKendree University ’04-‐’06 ‘07 MBA Webster University ’08-‐’10 PMP CISA CISSP CISM ISSMP CSSLP ‘11 ’12-‐13 NMDC & AIMC GE Crotonville ’14-‐14 CCFP ’14-‐15 Prevention Will Fail Shifting Landscape Slower Response = Greater Risk 66% Of Breaches Took Months or Even Years to Discover 60% 60,000 Of Breaches Have Data Exfiltrated in First 24 Hours Number of Alerts Hackers Set Off at Neiman Marcus 229 Median Number of Days Advanced Attackers Present Before Detection 33% Of Organizations Discover Breaches Through Their Own Monitoring Stats: Verizon 2013 Data Breach Investigations Report, Mandiant MTrends 2014 & Neiman Marcus The Evolution of IR IR Source: David Bianco, Sqrrl Upfront Reality Ø You will get breached Ø Prevention is not a panacea Ø Detection is an absolute must Ø Outsourcing all Response is a recipe for failure Ø Speed to discovery and containment are critical Ø Intel isn’t just for spies anymore Threat Landscape Mental Anchors Threats are People Objec)ve Example Skill Poten)al Data Targets Named Actors Nuisance Hack)vism Insiders Cyber Crime State Sponsored/APT Access & PropagaYon DefamaYon, DestrucYon, Press & Policy Revenge, DestrucYon, Monetary Gain Financial Gain Economic, PoliYcal Advantage, DestrucYon Botnets & Spam Website Defacements, DDOS DestrucYon, The_ Credit Card The_ Intellectual Property The_, DDOS Low Low -‐ Med Med High Very High SensiYve InformaYon, Vulnerable Data Access to the Network, Compromising InformaYon Intellectual Property, Compromising InformaYon Credit Card Data, Personal IdenYfiable InformaYon, Health Records Intellectual Property, NegoYaYon, NaYonal Intelligence General Malware Syrian Electronic Army, LizardSquad, Anonymous Jimmy, Suzy, Sally, Johnny Russian Business Network (RBN) APT1, EnergeYc Bear Case Study AcquisiYon Acquiring Company ² Small 3rd party / acquisiYon targeted ² All infrastructure compromised, to include e-‐mail ² All data within acquisiYon stolen ² Waited unYl networks connected to move into acquiring company… IR Fundamentals Leadership Ø Credibility Ø Trust Ø Rapport Ø Consistency Organizational Design CISO IR Director Intelligence Security Opera)ons Center Incident Response Tools & Infra Strategic Intel ShiI 1 Coordinators Workflow/SW Tac)cal Intel ShiI 2 Detec)on Detec)on Physical Intel (a ShiI 3 Analysts Network/Infra a) Leverage for connecYon to CSO office to monitor company-‐wide & personnel threats. Organizational Sustainability & Elasticity Ø There simply isn’t enough talent Ø Don’t hire all Senior talent Ø Quit complaining- go do something! Ø Develop a pipeline of students & interns Ø Don’t be a school snob Ø Help schools design their InfoSec programs! Ø https://www.nsa.gov/ia/academic_outreach/nat_cae/ Ø Provide opportunities both ways Ø Give your mid-level folks opportunities Ø Bring in talent outside of IR Documentation — “A plan doesn’t need to be a single document anymore.” Ø Wiki or other Platform Ø Flexibility Ø Track Changes Ø “Open” Access Availability Ø Who is needed for wing-to-wing IR? (think outside security) Ø Who is on-call and when? (consider Holidays) Ø Pre-built DL’s for e-mails and info Ø Think through basics: Ø Phones, chat rooms, conference lines (2+), and remote access Name Role Phone # Ray Incident Coordinator 555-‐2368 Danny Incident Coordinator 555-‐0840 Kate Network Team 606-‐0842 Jenny AD Team 867-‐5309 Alicia CISO 489-‐4608 Mike Incident Response 330-‐281-‐8004 Emily CIO 212-‐664-‐7665 Philip Legal Counsel 818-‐775-‐3993 Ramona Public RelaYons 212-‐664-‐7665 Business Leaders? Law Enforcement? Clear expecta:ons for returning phone calls RACI Ø Who does what? (think outside security) Ø Set expectations Ø Helps define process Incident Severities — “Not all incidents are created equal.” Ø Define a common lexicon for incidents Ra)ng Impact Descrip)on Breach 1 1 Intruder has exfiltrated sensiYve data or is suspected of exfiltraYng sensiYve data based on volume, etc. Breach 2 2 Intruder has exfiltrated nonsensiYve data or data that will facilitate access to sensiYve data Breach 3 3 Intruder has established command and control channel from asset with ready access to sensiYve data Cat 1 4 Intruder has compromised asset with ready access to sensiYve data Cat 2 5 Intruder has compromised asset with access to sensiYve data but requires privilege escalaYon Cat 3 6 Intruder is amempYng to exploit asset with access to sensiYve data Cat 6 7 Intruder is conducYng reconnaissance against asset with access to sensiYve data Vuln 1 8 Intruder must apply limle effort to compromise asset and exfiltrate sensiYve data Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensiYve data Vuln 3 10 Intruder must apply substanYal effort to compromise asset and exfiltrate sensiYve data Ø Simplified & Flexible Ø Focus more on capability Ra)ng Descrip)on Response/Containment Severity 0 Intruder has exfiltrated sensiYve data or is currently inside network. DDOS that has impacted availability. Malware outbreak. 1 hour Severity 1 Indicators show that an intruder is amempYng to gain a foothold or has amained an iniYal foothold on the network. DDOS that has the potenYal to impact availability. Malware causing disrupYon. 4 hours Severity 2 Compromised machine (General Malware) 72 hours Communication — “Compartmentalizing information is a recipe for failure.” Ø Communicate broadly, engage others Ø Communication template, rhythm and formats Ø Mobile technology and speed of information Incident Severity Comm Rhythm Audience Grave (KC7) Within 1hr – Conf. Call 2x Daily – Conf. Call COB Daily – E-‐mail • • • • • • • • COO CSO CIO General Counsel Director of PR CISO Director of IR Chief Security Architect Significant (KC6) Within 1hr – E-‐mail COB Daily – E-‐mail • CISO • Director of IR • Chief Security Architect Benign (KC1-‐5) As needed or upon escalaYon • Director of IR • Security Manager Internal Communications — “‘I don’t know’ is a valid answer, but qualify it with ac:ons.” Kill Chain Phase: If your org uses the KC, allows for a quick look at where the current incident is at. Business(es) & Location(s) Impacted: If your org has different locations or business units, helps to narrow impact. Summary: Executive level summary, no longer than a paragraph, on the current status. Impact: Current actual business impact- exfil? Servers down? Next Update: 06-11-2014 1600 EST Incident Status: More details on what is currently happening during the incident. Intelligence & Attribution Summary: If your org has an intelligence group, details would go here. Host Status: Deeper details on affected accounts or hosts. Action Items: Ac)on Status Owner Est. Comp Assemble Response Team Complete J. Smith 11 Jun 1200 EST Review Network Architecture Diagrams Complete S. Johnson 11 Jun 1600 EST Review ConfiguraYon Sepngs In Progress S. Johnson 13 Jun 1200 EST Establish secure FTP site In Progress S. Johnson 13 Jun 1600 EST Collect forensic evidence Pending R. White TBD Note: Updated information is shaded in Green and completed actions are struck through. External Communications Ø “Think Twitter” & the speed of information Ø Have approved templates ready to go Ø External, Internal, and Business Partners Ø Test and ensure you can actually identify all parties Ø Establish “easy-to-sign” NDA’s for use in the event of x-biz incidents Intel Highlights Types of Intel Source: MWR InfoSecurity, 2015 Increasing risk & cost to contain & remediate Kill Chain (KC) KC1- Reconnaissance: Collecting information about the target organization Recon KC2- Weaponization: Packaging the threat for delivery Weapon-‐ izaYon KC3- Delivery: Transmission of the weaponized payload Delivery KC4- Exploitation: Exploting vulnerabilities on a system ExploitaYon InstallaYon KC5- Installation: Installing malware on a target KC6- Command & Control: Providing “hands on the keyboard” access to the target system C2 AcYons on Intent KC7- Actions on Intent: The attacker achieves their objective (e.g. stealing information) “Intelligence-‐Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Lockheed MarYn Structured Intel storage & analysis Ø Ø Ø Ø Ø Incident Management Indicator Management Threat Actor Dossiers Ma nage the “Sharing Problem” Implementing threat sharing standards Intel-Driven Prevention & Detection Prevention & Detection Scenarios Recon Weaponization Deliver File File Behavior Behavior File - Name File - Path File Win Registry Key URI – Domain Name URI – URL HTTP - GET HTTP – UA String Address – e-mail Address – ipv4addr URI - URL File - Path Exploitation File File - Name File - Name URI- Domain Name URI – Domain Name URI - URL HTTP - POST Email Header Subject Email Header – XMailer Hash – MD5 Act on Objectives Installation C2 Code – Binary Code Behavior Behavior Win Process Win Registry Key Win Process Win Registry Key File Win Registry Key Win Service File File File - Path URI – Domain Name File - Path URI – URL File - Name URI - URL File - Name Hash – MD5 URI – Domain Name HTTP - GET URI – Domain Name Hash – SHA1 Address – cidr Address – ipv4addr URI - URL HTTP - GET HTTP – UA String Hash – SHA1 Hash – MD5 Address – e-mail Hash – SHA1 Address – ipv4addr Address – e-mail HTTP - POST HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail URI – URL Hash – MD5 Hash – SHA1 Address – ipv4addr Address – ipv4addr Address – ipv4addr Created by David Bianco, GE-‐CIRT Platform Strengths (example IDS Solution) Recon Weaponization Deliver File File Behavior Behavior File - Name File - Path File Win Registry Key URI – Domain Name URI – URL HTTP - GET HTTP – UA String Address – e-mail Address – ipv4addr URI - URL File - Path Exploitation File File - Name File - Name URI- Domain Name URI – Domain Name URI - URL HTTP - POST Email Header Subject Email Header – XMailer Hash – MD5 Act on Objectives Installation C2 Code – Binary Code Behavior Behavior Win Process Win Registry Key Win Process Win Registry Key File Win Registry Key Win Service File File File - Path URI – Domain Name File - Path URI – URL File - Name URI - URL File - Name Hash – MD5 URI – Domain Name HTTP - GET URI – Domain Name Hash – SHA1 Address – cidr Address – ipv4addr URI - URL HTTP - GET HTTP – UA String Hash – SHA1 Hash – MD5 Address – e-mail Hash – SHA1 Address – ipv4addr Address – e-mail HTTP - POST HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail URI – URL Hash – MD5 Hash – SHA1 Address – ipv4addr Address – ipv4addr Address – ipv4addr Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-‐CIRT All Platforms (aggregated view) Recon Weaponization Deliver File File Behavior Behavior File - Name File - Path File Win Registry Key URI – Domain Name URI – URL HTTP - GET HTTP – UA String Address – e-mail Address – ipv4addr URI - URL File - Path Exploitation File File - Name File - Name URI- Domain Name URI – Domain Name URI - URL HTTP - POST Email Header Subject Email Header – XMailer Hash – MD5 Act on Objectives Installation C2 Code – Binary Code Behavior Behavior Win Process Win Registry Key Win Process Win Registry Key File Win Registry Key Win Service File File File - Path URI – Domain Name File - Path URI – URL File - Name URI - URL File - Name Hash – MD5 URI – Domain Name HTTP - GET URI – Domain Name Hash – SHA1 Address – cidr Address – ipv4addr URI - URL HTTP - GET HTTP – UA String Hash – SHA1 Hash – MD5 Address – e-mail Hash – SHA1 Address – ipv4addr Address – e-mail HTTP - POST HTTP – UA String Hash – MD5 Hash – SHA1 Address – e-mail URI – URL Hash – MD5 Hash – SHA1 Address – ipv4addr Address – ipv4addr Address – ipv4addr Notes: Security solutions are able to investigate, analyze and monitor this indicator type Security solutions are unable to track this indicator type. These areas represent gaps Created by David Bianco, GE-‐CIRT Coverage gaps Recon HTTP – UA String Weaponization Deliver Exploitation Installation C2 Act on Objectives File Email Header - Subject Hash – MD5 File - Path Email Header – X-Mailer Hash – SHA1 URI - URL Created by David Bianco, GE-‐CIRT Containment & Collection Outpost Locations Outpost server Centralized Storage/Analysis Example locations Containment — “Containment is arguably the most cri:cal decision in IR” Ø Who can accessed compromised devices? Ø How will you track down the devices? Ø When do you contain? Ø Who makes the containment call? Ø What method(s) will you use? Virtual Isolation Ø Ø Ø Ø ICMP – Network Identification DNS (UDP/53) – Host Resolution SMB (TCP/445)– Authentication DHCP (TCP/67) - Persistence Specified Domain Controllers Suspect (x.x.x.x/8) C:\Isolator.bat Netsh ipsec add policy “virtual isolation” SecPermit Outpost_IP ANY ANY Netsh ipsec add policy “virtual isolation” SecPermit DC_IP TCP TCP Netsh ipsec add policy “virtual isolation” SecPermit 67 TCP TCP Netsh ipsec add policy “virtual isolation” SecPermit 53 ANY ANY Netsh ipsec add policy “virtual isolation” SecPermit 445 TCP TCP Netsh ipsec add policy “virtual isolation” Block ANY ANY ANY more %cd%\usernotification.txt | msg %username% Outposts Created by David Trollman, GE-‐CIRT Quarantine Internet Routable IPs Internal IP Space (x.x.x.x/8) Suspect VPN IPs Necessary Protocols* *- ICMP – Network Identification *- DNS (UDP/53) – Host Resolution Created by David Trollman, GE-‐CIRT Analysis Host & network forensic analysis Volatility Ø Where are the logs? Do you aggregate logs? Ø Does the team have access to the compromised logs & devices? Ø Preserve forensic evidence Ø Who is properly trained to do the forensics? Do they have tools? Analysis Infrastructure Ø Don’t forget to invest in hardware Ø Analysis Servers (CPU + RAM) Ø Storage (TBs) Ø Responder Laptops (MBP) Staying Prepared Recurring testing – “You shouldn’t be inventing process during a crisis.” Ø Paper Test – Ensure all documentation, templates, etc… are properly updated. Ø Table Top Exercise – Verbally walking through a number of different IR scenarios. Ø Simulated Incident – A more invasive test that leverages a Red Team to simulate an attack (or utilize existing malware samples). Allows for a more comprehensive test of the IRT, to include forensic work. Ø Blind Test (e.g. War Games) – Similar to Simulation testing, but leadership coordinates the attack unbeknownst to the IRT. Outside of IR… Ø Leverage the team for other hot issues such as: Ø Ø Ø Ø Ø Ø Ø Heartbleed Venom Insider cases Counterfeit gear Software piracy Acquisition evaluations Etc… Metrics IR measured cycle times Event (Event Time) Event Tria ge (Detect Time) Dwell Time Event Analysis How fast did we find it? Report (Report Time) Report IR Actions (Contain Time) Contain Time Contain How fast did we respond to it? Remedia tion (Remedia tion Time) Business Impact Time Remediate How fast did we fix it? Dwell Time + Contain Time = Time of unauthorized a ccess to asset Dwell & Contain Example Data Intel & Detection Intel Source Success 120 100% 100 80% 80 60 40 60% 40% 20 20% 0 0% False PosiYves Incidents Success Rate Example Data Collection & Analysis Example Data Wrapping it up… Nascent: Incident Response • SIEM • AV/HIPS • ETDR • IDS/IPS • Etc… • Rebuild Host(s) • Reset Password(s) • Countermeasures • Lessons Learned • Contain Host(s) • Reset Password(s) • Acquire Evidence Detect Contain & Collect Remediate Analyze • Movement • Methods • Account • Timelines Evolved: Intel-driven risk mitigation Sources TacYcal Intel PrevenYon Intel Analysis DetecYon Triage Response Strategic Intel Analysis Other FuncYons Containment CollecYon Lessons Learned Final thoughts Ø Prevention Will Fail. Invest in Intel & IR; it can be measured, evolved, and simplified Ø Detection should be based on a foundation of prioritized intel; understand your strengths, gaps and weaknesses Ø Intel is more than a nice to have- it is a requirement; a structured approach will assist the overall information security program Ø Think beyond IT; Partnerships are critical to success. Educate and form alliances in the business and externally (e.g. local FBI office, competitors, colleges) Ø Communicate findings back into other functions; Defense is a team sport Ø Reward your teams! Questions? Sean Mason Sean@SeanMason.com Twitter: @SeanAMason Web: www.SeanMason.com LI: www.linkedin.com/in/SeanMason
© Copyright 2024